24 September 2009

Cloud Computing - My concerns

After a long absence due to long and stressful project "46 hours working straight was common" I'm back

Sure, I missed to blog here!!!

I'm reading a lot about Cloud Computing and how fantastic it is, but I have to wonder...

What about the security aspects????

Well, no rush...Let's start from the basics

What's Cloud Computing?

Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them.

The concept generally incorporates combinations of the following:

Infrastructure as a service (IaaS).

Platform as a service (PaaS).

Software as a service (SaaS).

Other recent (ca. 2007–09) technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.

The term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams and is an abstraction for the complex infrastructure it conceals

Now, that we all know the very basics about it let's focus on security aspects.

Cloud Computing Weakness

A concern I have is related to the 3rd party services in a cloud environment. If we're using this kind of service how do we can assure that this 3rd party provider is securing the data in a apropriated way?

We need to know where data is stored, how securely it is stored, if supplier employees are security checked, and if the data is properly disposed of.

Another point that pains me is how robust a cloud can be against a DDOS attack. Some can say "It's a cloud, so by definition it's immune against this type of attacks" but going to real scenarios if a DataCenter that is handling my data is out due this type of attack it doesn't matter if the cloud is still up. My data is unavailable.

According to Gartner (interesting article), there's more risks that us as security professionals must be aware of:

Privileged user access -Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.

Regulatory compliance - Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions."

Data location - When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in.

Data segregation - Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability."

Recovery - Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure is vulnerable to a total failure."

Investigative support - Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. Long-term viability - Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.

There's other articles and comments all over the Internet where we can get more information.

Conclusion

Cloud Computing is happening now, soon or later you will need to handle it so it's wyse to get familiar with it now. Understand the benefits and risks involved so you can be better prepared to mitigate or control them.

Comments

After a long absence due to long and stressful project "46 hours working straight was common" I'm back

Sure, I missed to blog here!!!

I'm reading a lot about Cloud Computing and how fantastic it is, but I have to wonder...

What about the security aspects????

Well, no rush...Let's start from the basics

What's Cloud Computing?

Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them.

The concept generally incorporates combinations of the following:

Infrastructure as a service (IaaS).

Platform as a service (PaaS).

Software as a service (SaaS).

Other recent (ca. 2007–09) technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.

The term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams and is an abstraction for the complex infrastructure it conceals

Now, that we all know the very basics about it let's focus on security aspects.

Cloud Computing Weakness

A concern I have is related to the 3rd party services in a cloud environment. If we're using this kind of service how do we can assure that this 3rd party provider is securing the data in a apropriated way?

We need to know where data is stored, how securely it is stored, if supplier employees are security checked, and if the data is properly disposed of.

Another point that pains me is how robust a cloud can be against a DDOS attack. Some can say "It's a cloud, so by definition it's immune against this type of attacks" but going to real scenarios if a DataCenter that is handling my data is out due this type of attack it doesn't matter if the cloud is still up. My data is unavailable.

According to Gartner (interesting article), there's more risks that us as security professionals must be aware of:

Privileged user access -Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs.

Regulatory compliance - Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions."

Data location - When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in.

Data segregation - Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability."

Recovery - Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure is vulnerable to a total failure."

Investigative support - Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. Long-term viability - Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.

There's other articles and comments all over the Internet where we can get more information.

Conclusion

Cloud Computing is happening now, soon or later you will need to handle it so it's wyse to get familiar with it now. Understand the benefits and risks involved so you can be better prepared to mitigate or control them.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org